Data processing addendum

Effective February 20, 2024

This Data Processing Addendum (“DPA”) applies whenever it is incorporated by reference into the Master Services Agreement (“Agreement”) between you and Code42.  Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement or Data Protection Laws.

To provide the Offerings to you under the Agreement, Code42 Processes Customer Data, which includes Personal Data.  This DPA reflects the parties’ agreement relating to the Processing of Personal Data in accordance with Data Protection Laws.

1. Definitions

1.1 “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations.
1.2 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
1.3 “Data Protection Laws” means any applicable data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the applicable laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states.
1.4 “Data Subject” means the identified or identifiable person to whom Personal Data relates.
1.5 “Personal Data” means any personal data, as defined under Data Protection Laws, that is contained within Customer Data.
1.6 “Processing”, “Processes” or “Process” means any operation or set of operations performed upon Personal Data whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
1.7 “Processor” means the entity that Processes Personal Data on behalf of the Controller, including a “service provider” as that term is defined under CCPA.
1.8 “Restricted Transfer” means a transfer of Personal Data subject to Data Protection Laws in the EU, Switzerland and/or UK to a third country which is not subject to an adequacy decision by the European Commission or the competent Swiss or UK authorities (as applicable).
1.9 “Standard Contractual Clauses” means the standard contractual clauses for transfers of personal data to third countries which do not show an adequate level of data protection as approved by the European Commission decision 2021/914, dated 4 June 2021, incorporated herein by reference.
1.10 “Sub-processor” means a third-party service provider that Code42 has engaged in its role as a Processor to assist Code42 in fulfilling its obligations with respect to the Agreement or this DPA where such entity processes Personal Data.

 

2. Processing of Personal Data

2.1 Data Processing Roles. As between you and Code42, you are the Controller (or Processor) and Code42 is the Processor (or Sub-processor, as applicable).
2.2 Customer Processing of Personal Data.
As Controller, you control the categories of Data Subjects and Personal Data Processed under the Agreement and are solely responsible for the accuracy, quality, and legality of the Personal Data and how you acquired such Personal Data. You will comply with your obligations under Data Protection Laws in your processing of Personal Data and any processing instruction you issue to Code42.
2.3 Code42 Processing of Personal Data.
(A)
  Code42 will only Process Personal Data for purposes of providing the Offerings and in accordance with your documented instructions as set out in the Agreement and this DPA, and as required by Data Protection Laws. The parties must agree in writing on any additional or alternate instructions. Code42 will inform you if, in Code42’s opinion, your instructions violate Data Protection Laws. 

(B)     To the extent Code42 Processes Personal Data subject to the CCPA, Code42 will not (i) collect, retain, use or disclose Personal Data for any purpose other than the specified purposes set out in the Agreement or outside the direct business relationship between you and Code42; (ii) “sell” or “share” the Personal Data (as those terms are defined under the CCPA; or (iii) combine the Personal Data with any personal information Code42 collected or has received from another source, except as instructed by you or as permitted by Data Protection Laws.

(C)     Code42 certifies that it understands and will comply with the obligations and restrictions of this Section 2. Code42 will inform you if it determines that it can no longer meet its obligations under Data Protection Laws, in which case you may take reasonable and appropriate steps to prevent, stop or remediate any unauthorized processing of Personal Data.

3. Data Subject Rights

3.1 Correction, Blocking and Deletion. If you do not have the ability to amend, block, or delete Personal Data as required by Data Protections Laws, you can provide written instructions to Code42 to act on your behalf. Code42 will follow your instructions to the extent technically feasible and legally permissible. You will pay Code42’s costs of providing this assistance if the assistance exceeds the services provided under the Agreement.
3.2 Data Subject Requests. If permitted, Code42 will promptly notify you of any request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. Code42 will not respond to any Data Subject request without your prior written consent, except to confirm that the request relates to you.
3.3 Cooperation and Assistance. Code42 will assist you to address any request, complaint, notice, or communication you receive relating to Code42’s Processing of Personal Data received from a Data Subject or any applicable data protection authority. Code42 will also assist you with your reasonable requests for information to confirm compliance with this DPA or to conduct a privacy impact assessment. You will pay Code42’s costs of providing assistance if the assistance exceeds the services provided under the Agreement.

4. Sub-processors

4.1 Authorization. You expressly authorize Code42 to engage Sub-processors to Process Personal Data to enable Code42 to perform specific services under the Agreement. You authorize Code42’s use of the Sub-processors listed at: http://code42.com/r/support/dpa-subprocessors (“Sub-processor List”).
4.2 Requirements. Code42 has written agreements with its Sub-processors that contain data protection obligations substantially similar to Code42’s obligations under this DPA. Code42 is liable for any breach of this DPA caused by an act or omission of its Sub-processors.
4.3 Notice and Objection. Code42 will notify you of the engagement of any new Sub-processor, which the parties agree such notice may be given by Code42 updating the Sub-processor List. You can subscribe to receive email notification by emailing privacynotices@code42.com with the email address to which you want notification sent. If you subscribe, Code42 will notify you by email of new Sub-Processors before authorizing such Sub-processor(s) to process Personal Data. You have a right to reasonably object to Code42’s use of a new Sub-processor by notifying Code42 in writing within 10 business days after Code42 publishes notice of a new Sub-processor. If you do so, Code42 will use reasonable efforts to change the affected Software or Cloud Service or recommend a commercially reasonable change to your configuration or use of the affected Software or Cloud Service, to avoid Processing of Personal Data by the new Sub-processor. If Code42 is unable to make or recommend such a change within a reasonable period of time, not to exceed 60 days, you may terminate only the Subscription Term for the Software and Cloud Service that Code42 cannot provide without using the new Sub-processor. You must provide written notice of termination to Code42 in accordance with the Agreement. Code42 will promptly refund you the fees applicable to the unused portion of the Subscription Term for the terminated Software and Cloud Services offering.

5. Security

5.1 Protection of Personal Data. Code42 maintains appropriate administrative, technical and organizational safeguards to protect Personal Data from unauthorized or unlawful Processing, from accidental loss, destruction, or damage. Code42’s safeguards are described in the Information Security Addendum available at https://support.code42.com/hc/en-us/articles/14827695887383-Information-security-addendum#information-security-addendum.
5.2 Incident Management and Breach Notification. Code42 will notify you within 24 hours of becoming aware of a breach of Personal Data. To the extent known, the notice will include (A) a description of the nature of the Personal Data breach, including the categories and approximate number of your Data Subjects concerned and the categories and approximate number of your records concerned; (B) the name and contact details of a Code42 contact point for more information; (C) the measures Code42 is taking to address the breach, including measures to mitigate its possible adverse effects. You can find more information about Code42’s incident response procedures in the Information Security Addendum.
5.3 Confidentiality. Code42 personnel engaged in the Processing of Personal Data are informed about the confidential nature of such Personal Data, receive appropriate training on their responsibilities and are subject to written agreements with confidentiality obligations that survive the termination of their relationship with Code42.
5.4 Limitation of Access. Code42 ensures that access to Personal Data is limited to those personnel who require access to perform the services under the Agreement.
5.5 Certifications and Audits. Code42 uses external auditors to verify the adequacy of its security measures. Such audits are performed at least annually by independent third-party security professionals and result in the generation of a confidential audit report (“Audit Report”). Code42’s certifications and Audit Report are described in the Information Security Addendum.
5.6 Customer Audits. Code42 will provide you a copy of the Audit Report upon request so that you can reasonably verify Code42’s compliance with its obligations under this DPA. To the extent required by Data Protection Laws, Code42 will provide additional information and will allow and contribute to audits You will provide written notice to Code42 to request an audit of the procedures relevant to Code42’s Processing of your Personal Data. The audit must be conducted during normal business hours and cannot unreasonably interfere with Code42’s day-to-day operations. You will conduct the audit at your own expense and reimburse Code42 for time spent on an on-site audit at Code42’s then current rates.

6. Return and Deletion of Personal Data

Upon termination or expiration of your Subscription Term, or at any time upon your request, Code42 will delete your Personal Data in accordance with the Agreement. Code42 will provide a certificate of deletion upon request. The Software and Cloud Services allow you to retrieve Customer Data at any time prior to the end of a Subscription Term. Providing this functionality through the Software and Cloud Services during the Subscription Term satisfies any obligation of Code42 to return Personal Data.

7. Cross-Border Data Transfers

7.1 Data Privacy Framework. Code42 participates in and certifies compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and Swiss-U.S. Data Privacy Framework (together, the “Data Privacy Framework”). As required by the Data Privacy Framework, Code42 will (i) provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (ii) notify you if Code42 makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and (iii) upon notice, take reasonable and appropriate steps to remediate any unauthorized processing.
7.2 APEC Privacy Recognition for Processors. Code42 has obtained APEC Privacy Recognition for Processors (“PRP”) certification. Code42 will process Personal Data transferred from the APEC region in accordance with its PRP certification.
7.3 Restricted Transfers. To the extent Code42’s Processing involves a Restricted Transfer, the parties agree that the Standard Contractual Clauses are incorporated into this DPA and apply to the transfer as set forth in Sections 7.4, 7.5 and 7.6 below.
(A) Transfers from the EEA. Where the Restricted Transfer is made from the EEA, the Standard Contractual Clauses apply as follows:
i. Module Two applies where you are the Controller and Code42 is the Processor, and Module Three applies where both you and Code42 are Processors.
ii. Clause 7: The optional docking clause does not apply.
iii. Clause 8.9: The audit described in Clause 8.9 shall be carried out in accordance with Section 5.6 of this DPA.
iv. Clause 9(a): Option 2 (General written authorization) applies and the period for prior notice of changes to our sub-processors is set forth in Section 4 of this DPA.
v. Clause 11(a): The optional language does not apply.
vi. Clause 17: The Parties agree that the governing law shall be the law of Germany.
vii. Annex I of the Standard Contractual Clauses is completed with the information in Schedule A to this DPA. Annex II is completed with the information in Schedule 2 to this DPA, and Annex III is completed with the information in Section 4.1 of this DPA.
(B) Transfers from Switzerland. Where the Restricted Transfer is made from Switzerland, the Standard Contractual Clauses apply as modified in Section 7.4above, except:
i. Clause 13: The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner if the Restricted Transfer is governed by the Swiss Federal Act on Data Protection (FDAP).
ii. References to ‘Member State’ refer to Switzerland and Data Subjects located in Switzerland may exercise and enforce their rights under the Standard Contractual Clauses in Switzerland.
iii. References to the General Data Protection Regulation (GDPR) refer to the FDAP, as amended or replaced.
(C) Transfers from the UK. Where the Restricted Transfer is made from the UK, the Standard Contractual Clauses apply as modified in Section 7.4 above, subject to the following:
i. The International Data Transfer Addendum to the Standard Contractual Clauses (“UK Addendum”) applies and is hereby incorporated by reference.
ii. Clauses 17 and 18: The laws and courts of England and Wales shall govern.
iii. The information provided in this Section 7, Schedule 1 and Schedule 2 provide the information required for completing the UK Addendum.

 

Schedule 1

A. List of Parties

Data exporter:

Name: The data exporter is the customer that is party to the Agreement with Code42 Software, Inc.

Address: The address associate with data exporter’s Code42 account or as otherwise specified in the DPA or Agreement.

Contact details: The contact details associated with the data exporter’s account, or as otherwise specified in the DPA or Agreement.

Activities relevant to the data transferred under the clauses: The activities specified in Section 2 of the DPA

Role (controller/processor): Controller

 

Data importer:

Name: The data importer is Code42 Software, Inc., a global provider of data security services. 

Address: 100 Washington Avenue S, Suite 2000, Minneapolis, MN 55401, United States.

Contact details: privacy@code42.com.

Activities relevant to the data transferred under the clauses: The activities specified in Section 2 of the DPA.

Role (controller/processor): Processor

 

B. Description of the transfer

Categories of Data subjects

The categories of data subjects whose personal data may be processed include: data exporter’s employees, consultants, contractors, agents, prospects, customers, vendors, business partners and users authorized to use the Services; employees or contacts of third parties data exporter conducts business with.

Categories of personal data transferred 

The personal data transferred may include the following categories of data: first and last name, employer, professional title, contact information (email, phone number, physical address), username, identification data (IP address, device ID) and any other personal data provided through the services; depending on the data exporter’s endpoint environment and naming conventions, data transferred may include personal data, such as that possibly found in a computer name, user name or file name.

Sensitive data transferred (if appropriate)

The personal data transferred may include sensitive personal data, the extent of which is determined and controlled solely by the data exporter, and which may include: racial or ethnic origin; political opinions, religious or philosophical beliefs; trade-union membership; health data; and data concerning sex-life or sexual orientation. 

Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)

Personal data is transferred in accordance with the data exporter’s instructions as described in Section 2 of the DPA.

Nature of the Processing 

The personal data will be processed for purposes of providing the services as described in the Agreement.The personal data transferred may be subject to the following basic processing activities: cloud based storage, retrieval, erasure or destruction, disclosure by transmission, analysis and any other processing necessary to provide and improve the services pursuant to the Agreement; to provide technical support; and otherwise in accordance with the data exporter’s instructions or to comply with law.  

Purpose(s) of the data transfer and further processing

To provide the Services under the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

The duration of processing will be as specified and in accordance with the published data retention policies under the Agreement.   

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The personal data transferred may be disclosed to sub-processors of data importer solely as permitted by data importer to provide the services to data exporter under the Agreement, a current list of which is available at: https://support.code42.com/hc/en-us/articles/14827701351959-Code42-authorized-subprocessors  

C. Competent supervisory authority

The data exporter’s competent supervisory authority will be determined in accordance with the General Data Protection Regulation.

 

Schedule 2

Code42 will maintain administrative, technical and organizational security measures for protection of the security, confidentiality and integrity of Customer Data, including Personal Data, as set forth below.

 

1. Purpose

1.1 This describes the minimum information security standards that Code42 maintains to protect your Customer Data.  Requirements in this ISA are in addition to any requirements in the Agreement. 

1.2 Code42 follows AICPA guidelines and regularly reviews controls as described in Code42’s SOC2 Type II independent auditor report ("SOC2 Report"). For your convenience, Code42 references some of the applicable SOC2 controls in this ISA. See the SOC2 Report for exact language. Code42 will provide you with a copy of the SOC2 Report upon request. 

 

2. Encryption and key management

2.1 Code42 uses industry-standard encryption techniques to encrypt Customer Data at rest and in transit (SOC: C-10). 

2.2 All connections are authenticated and encrypted using industry standard encryption technology (SOC: C-11).

2.3 Code42’s key generation utilizes keys that are generated with methods consistent with industry accepted best practices and is reviewed on an annual basis. (SOC: C-12)

2.4 Customer Data is checked for integrity during transit to provide Code42 the ability to detect data tampering or corruption. (SOC: C-9).

 

3. Support and maintenance

Code42 deploys changes to the Cloud Services during scheduled maintenance windows, details of which are posted to the Code42 website prior to the scheduled period. In the event of a service interruption, Code42 posts a notification to the website describing the affected services. Code42 provides status updates, high level information regarding upgrades, new release availability, and minimum release version requirements via the Code42 website (SOC: CM-11).

 

4. Incident response and notification

4.1 Incident” means a security event that compromises the confidentiality, integrity or availability of a Code42 information asset. "Breach" means an Incident that results in the confirmed disclosure, not just potential exposure, of Customer Data to an unauthorized party. 

4.2 Code42 has an incident response plan, including a breach notification process, to assess, escalate, and respond to identified physical and cyber security Incidents that impact the organization, customers, or result in data loss. Discovered intrusions and vulnerabilities are resolved in accordance with established procedures. The incident response plan is reviewed and updated annually and more frequently as needed (SOC: OPS-4).

4.3 If there is a Breach involving your Customer Data, Code42 will (A) notify you within 24 hours of discovery of the Breach, (B) reasonably cooperate with you with respect to such Breach, and (C) take appropriate corrective action to mitigate any risks or damages involved with the Breach to protect your Customer Data from further compromise. Code42 will take any other actions that may be required by applicable law as a result of the Breach.  

 

5. Code42 security program

5.1 Scope and Contents. Code42 maintains a written security program that (A) complies with applicable global industry recognized information security frameworks, (B) includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Customer Data and (C) is appropriate to the nature, size and complexity of Code42’s business operations. 

5.2 Security Program Changes. Code42 policies (including the Code42 Code of Conduct), standards, and operating procedures related to security, confidentiality, integrity and availability are made available to all Code42 personnel via the corporate intranet. Security policies are reviewed, updated (as needed), and approved at least annually to maintain their continuing relevance and accuracy. Code42 personnel are required to review and acknowledge Security policies during on-boarding and annually thereafter (SOC: ORG-2). 

5.3 Security Officer. The Code42 Chief Information Security Officer and security team develop, maintain, review and approve Code42 Security Policies.

5.4 Security Training & Awareness. All Code42 personnel are required to complete security awareness training at least annually (SOC: ORG-8). Code42 conducts periodic security awareness education to give personnel direction for creating and maintaining a secure workplace. (SOC: COM-11).

 

6. Risk management

6.1 Code42 has a security risk assessment and management process to identify and remediate potential threats to Code42. Risk ratings are assigned to all identified risks, and remediation is managed by security personnel (SOC: RM-1). Executive management is kept apprised of the risk posture of the organization.

6.2 Code42 has an established insider threat risk management program to monitor, alert and investigate threats posed by both non-malicious and malicious actors inside the organization on an on-going basis. Identified issues are reviewed and investigated as appropriate (SOC: RM-2).

6.3 Threat and vulnerability management and security testing. Code42’s Threat and Vulnerability Management (TVM) program monitors for vulnerabilities on an on-going basis (SOC: RM-3). Code42 conducts monthly internal and external vulnerability scans using industry-recognized vulnerability scanning tools. Identified vulnerabilities are evaluated, documented and remediated to address the associated risk(s). (SOC: RM-6). Ongoing bug bounty and external penetration tests are conducted annually by an independent third party. Findings from these tests are evaluated, documented and remediated (SOC: RM-7).

 

7. Access management

7.1 Code42 assigns application and data rights based on security groups and roles, which are created based on the principle of least privilege. Security access requests are approved by the designated individual prior to provisioning access (SOC: LA-1).

7.2 Code42 classifies informational assets in accordance with the Code42 data classification guideline (SOC: C-5).

7.3 Access to Code42 systems and networks is disabled promptly upon notification of termination (SOC: LA-7). 

7.4 Code42 reviews administrator access to confidential and restricted systems, including corporate and cloud networks, on a semiannual basis. Code42 reviews administrator access to the cloud production environment and to select corporate systems that provide broad privileged access on a quarterly basis. Any inappropriate access is removed promptly (SOC: LA-8). 

7.5 Code42 uses separate administrative accounts to perform privileged functions, and accounts are restricted to authorized personnel (SOC: LA-9).

 

8. Password management and authentication controls

Authentication mechanisms require users to identify and authenticate to the corporate network with their unique user ID and password. Code42 requires minimum password parameters for the corporate network via a directory service system (SOC: LA-2). 

 

9. Remote access and cloud access

Remote access to the corporate network is secured through a virtual private network (VPN) solution with two-factor authentication (SOC: LA-3). Access to the cloud network requires two authentication steps; authorized users must log on to the corporate network and then authenticate using separate credentials through a jump box server (SOC: LA-4).

 

10. Asset configuration and security

Endpoint detection and response (EDR) technology is installed and activated on all Code42 endpoints to monitor for virus and malware infections. Endpoint devices are scanned in real-time. Monitoring is in place to indicate when an anti-virus agent does not check in for prolonged periods of time. Issues are investigated and remediated as appropriate. Virus definition updates are automatically pushed out to endpoint devices from the EDR technology as they become available. (SOC: LA-11). Code42 uses full-disk encryption on endpoint devices. Endpoint devices are monitored and encrypted using industry recognized tools. Code42 has tools to identify and alert IT administrators of discrepancies between Code42 security policies and a user's endpoint settings (SOC: LA-12). Code42 maintains and regularly updates an inventory of corporate and cloud infrastructure assets, and systematically reconciles the asset inventory annually (SOC: OPS-5).

 

11. Logging and monitoring

Code42 continuously monitors application, infrastructure, network, data storage space and system performance (SOC: OPS-1). Code42 utilizes a security information event monitoring (SIEM) system. The SIEM pulls real-time security log information from servers, firewalls, routers, intrusion detection system (IDS) devices, end users and administrator activity. The SIEM is configured for alerts and is monitored on an ongoing basis. Logs contain details on the date, time, source, and type of events. Code42 reviews this information and works events worthy of real-time review (SOC: OPS-2). 

 

12. Change management

Code42 has change management policies and procedures for requesting, testing and approving application, infrastructure and product related changes. All changes receive a risk score based on risk and impact criteria. Low risk changes generate automated change tickets and have various levels of approval based on risk score. High risk changes require manual change tickets to be created and are reviewed by approvers based on change type. Planned changes to the corporate or cloud production environments are reviewed regularly. Change documentation and approvals are maintained in a ticketing system (SOC: CM-1). Product development changes undergo various levels of review and testing based on change type, including security and code reviews, regression, and user acceptance testing prior to approval for deployment (SOC: CM-2). Following the successful completion of testing, changes are reviewed and approved by appropriate managers prior to implementation to production (SOC: CM-3). Code42 uses dedicated environments separate from production for development and testing activities. Access to move code into production is limited and restricted to authorized personnel (SOC: CM-9).

 

13. Secure development

Code42 has a software development life cycle (SDLC) process, consistent with Code42 security policies, that governs the acquisition, development, implementation, configuration, maintenance, modification and management of Code42 infrastructure and software components (SOC: CM-4). Prior to the final release of a new Code42 system version to the production cloud environment, code is pushed through lower tier environments for testing and certification (SOC: CM-6). Code42 follows secure coding guidelines based on leading industry standards. These guidelines are updated as needed and available to personnel via the corporate intranet. Code42 developers receive annual secure coding training (SOC: CM-7). Code42 utilizes a code versioning control system to maintain the integrity and security of the application source code (SOC: CM-8).

 

14. Network security

Code42 uses network perimeter defense solutions, including an IDS and firewalls, to monitor, detect and prevent malicious network activity. Security personnel monitor items detected and take appropriate action (SOC: LA-15). Firewall rule changes (that meet the criteria for the corporate change management criteria) follow the change management process and require approval by the appropriate approvers (SOC: LA-16). Code42’s corporate and cloud networks are logically segmented by virtual local area networks (VLANs) and firewalls monitor traffic to restrict access to authorized users, systems and services (SOC: LA-17).

 

15. Third party security

Code42 assesses and manages the risks associated with existing and new third party vendors. Code42 employs a risk-based scoring model for each third party (SOC: MON-2). Code42 requires third parties to enter into contractual commitments that contain security, availability, processing integrity and confidentiality requirements and operational responsibilities as necessary (SOC: COM-9). Code42 evaluates the physical security controls and assurance reports for data centers on an annual basis. Code42 assesses the impact of any issues identified and tracks any remediation efforts (SOC: MON-3).

 

16. Physical security

Code42 grants access to data centers and Code42 offices by job responsibility, and access is removed as part of the Code42 separation or internal job transfer process when access is no longer required (SOC: LA-21; SOC: LA-22). Access to Code42 offices is managed by a badging system that logs access, and any unauthorized attempts are logged and denied. Code42 personnel and visitors are required to display identity badges at all times within Code42 offices. Code42 maintains visitor logs and requires visitors to be escorted by Code42 personnel (SOC: LA-23).  

 

17. Oversight and audit

Internal audits are aligned to Code42’s information security program and compliance requirements. Code42 conducts internal control assessments to validate that controls are operating effectively. Issues identified from assessments are documented, tracked and remediated (SOC: MON-1). Internal controls related to security, availability, processing integrity and confidentiality are audited by an external independent auditor at least annually and in accordance with applicable regulatory and industry standards. 

 

18. Business continuity plan

Code42 maintains a Business Continuity Plan and a Disaster Recovery Plan to manage significant disruptions to Code42 operations and infrastructure. These plans are reviewed and updated periodically and approved on an annual basis (SOC: A-5). Code42 conducts business continuity exercises to evaluate Code42 tools, processes and subject matter expertise in response to specific incidents. Results of these exercises are documented and any issues identified are tracked to remediation (SOC: A-6).

 

19. Human resources security

Code42 has procedures in place to guide the hiring process. Background verification checks are completed for Code42 personnel in accordance with relevant laws and regulations (SOC: ORG-5). Code42 requires personnel to sign a confidentiality agreement as a condition of employment (SOC: C-2). Code42 maintains a disciplinary process to take action against personnel that do not comply with company policies, including Code42 security policies (SOC: ORG-3).